A severe privilege escalation flaw (CVE-2025-10725, CVSS 9.9) has been disclosed in Red Hat’s OpenShift AI service, which manages the lifecycle of predictive and generative AI models across hybrid cloud environments. The vulnerability allows a low-privileged, authenticated user—such as a data scientist using a Jupyter notebook—to escalate privileges to full cluster administrator. This could enable an attacker to exfiltrate data, disrupt services, and take control of the infrastructure, leading to complete compromise. Red Hat classified the issue as “Important” rather than “Critical” due to the requirement of authenticated access, but acknowledged that it exposes all cluster confidentiality, integrity, and availability. The company advises restricting permissions for system-level groups and applying least-privilege principles for job creation.
You can read the Red Hat advisory here: https://access.redhat.com/security/cve/cve-2025-10725
Gunter Ollmann, CTO, Cobalt had this to say:
“AI platforms are rapidly becoming high-value targets because they combine sensitive data, critical infrastructure, and powerful compute in one place. This vulnerability shows how even a low-privileged role can become a launchpad for full control of an AI environment if privilege boundaries aren’t enforced. While authenticated access may sound like a barrier, in real-world environments credentials are often shared, phished, or exposed through weak operational practices. Organizations adopting AI at scale must treat these systems with the same rigor as any mission-critical infrastructure—least privilege, continuous testing, and proactive detection. Otherwise, the promise of AI becomes paired with a massive, underappreciated attack surface.”
Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic adds this:
“In today’s cyber-criminal world, account compromise is table stakes. The idiom now is that an attacker only needs to login to the network now to gain access. Phishing, token hijacking, iFrame overflow, credential stuffing, have shown to be very effective in dozens of recent successful breaches. The working assumption is that the network is already breached and that there are already compromised accounts at risk. Relying on a failed layer of protection to downgrade an account escalation to full privileges from Critical to Important may well underserve the community. This breach and the reaction to it reinforces the need for a second layer of protection reinforcing authentication at the authorization layer. Identity Observability actively monitors, alerts, and remediates threats from compromised accounts by recognizing anomalous behavior, policy violations, and out of band access escalations. The old walls have fallen, it is time to build an effective layer of defense at the identity observability layer.
AI platforms amplify the risks we already face with identity and privilege management. When a standard user can escalate to cluster administrator, it shows how fragile role boundaries can be without proper observability and enforcement. These environments are only as secure as their ability to monitor who has access, how that access is being used, and when privilege escalation occurs. Building AI securely means applying Zero Trust to every identity—human and machine alike—so no single credential or role can become the key to the entire system. Without that visibility, organizations are effectively flying blind in one of the most sensitive parts of their infrastructure.”
Red Hat users should look at the mitigation steps in the advisory and implement them ASAP given the impact and the severity of this flaw. To be frank, this flaw is pretty scary and should scare anyone in the Red Hat community.
A Severe Red Hat Privilege Escalation Flaw Is Out There
Posted in Commentary with tags Hacked, Red Hat on October 1, 2025 by itnerdA severe privilege escalation flaw (CVE-2025-10725, CVSS 9.9) has been disclosed in Red Hat’s OpenShift AI service, which manages the lifecycle of predictive and generative AI models across hybrid cloud environments. The vulnerability allows a low-privileged, authenticated user—such as a data scientist using a Jupyter notebook—to escalate privileges to full cluster administrator. This could enable an attacker to exfiltrate data, disrupt services, and take control of the infrastructure, leading to complete compromise. Red Hat classified the issue as “Important” rather than “Critical” due to the requirement of authenticated access, but acknowledged that it exposes all cluster confidentiality, integrity, and availability. The company advises restricting permissions for system-level groups and applying least-privilege principles for job creation.
You can read the Red Hat advisory here: https://access.redhat.com/security/cve/cve-2025-10725
Gunter Ollmann, CTO, Cobalt had this to say:
“AI platforms are rapidly becoming high-value targets because they combine sensitive data, critical infrastructure, and powerful compute in one place. This vulnerability shows how even a low-privileged role can become a launchpad for full control of an AI environment if privilege boundaries aren’t enforced. While authenticated access may sound like a barrier, in real-world environments credentials are often shared, phished, or exposed through weak operational practices. Organizations adopting AI at scale must treat these systems with the same rigor as any mission-critical infrastructure—least privilege, continuous testing, and proactive detection. Otherwise, the promise of AI becomes paired with a massive, underappreciated attack surface.”
Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic adds this:
“In today’s cyber-criminal world, account compromise is table stakes. The idiom now is that an attacker only needs to login to the network now to gain access. Phishing, token hijacking, iFrame overflow, credential stuffing, have shown to be very effective in dozens of recent successful breaches. The working assumption is that the network is already breached and that there are already compromised accounts at risk. Relying on a failed layer of protection to downgrade an account escalation to full privileges from Critical to Important may well underserve the community. This breach and the reaction to it reinforces the need for a second layer of protection reinforcing authentication at the authorization layer. Identity Observability actively monitors, alerts, and remediates threats from compromised accounts by recognizing anomalous behavior, policy violations, and out of band access escalations. The old walls have fallen, it is time to build an effective layer of defense at the identity observability layer.
AI platforms amplify the risks we already face with identity and privilege management. When a standard user can escalate to cluster administrator, it shows how fragile role boundaries can be without proper observability and enforcement. These environments are only as secure as their ability to monitor who has access, how that access is being used, and when privilege escalation occurs. Building AI securely means applying Zero Trust to every identity—human and machine alike—so no single credential or role can become the key to the entire system. Without that visibility, organizations are effectively flying blind in one of the most sensitive parts of their infrastructure.”
Red Hat users should look at the mitigation steps in the advisory and implement them ASAP given the impact and the severity of this flaw. To be frank, this flaw is pretty scary and should scare anyone in the Red Hat community.
Leave a comment »